Automated security assessment of business-critical systems and applications

ABSTRACT

Systems and methods which provide a new application security assessment framework that allows auditing and testing systems to automatically perform security and compliance audits, detect technical security vulnerabilities, and illustrate the associated security risks affecting business-critical applications.

RELATED APPLICATIONS

This application is a divisional of U.S. patent application Ser. No.13/807,122 filed on Mar. 11, 2013.

TECHNICAL FIELD

The present invention is generally related to computer system securityand, in particular, to the automated security assessment ofbusiness-critical applications and systems.

BACKGROUND OF THE INVENTION

Nowadays, most medium and large enterprises in the world rely oninformation systems to manage their key business processes. Examples ofthis type of systems are solutions for Enterprise Resource Planning(ERP), Customer Relationship Management (CRM), Supplier RelationshipManagement (SRM), Supply Chain Management (SCM), Product Life-cycleManagement (PLM), Human Capital Management (HCM), Business Intelligence(BI), Integration Platforms, etc. Industry-recognized software productsin this area involve SAP NetWeaver-based solutions and the SAP R/3platform, Oracle E-Business Suite, JD Edwards Enterprise One,PeopleSoft, Siebel and Microsoft Dynamics. These products are used inmost of the Fortune-100 and large governmental organizations in theworld. SAP alone, has more than 90,000 customers in more than 120countries.

These systems are in charge of processing sensitive business informationand managing key processes across the organization, such as procurement,billing, invoicing, financial planning, production, payroll management,etc. The confidentiality, integrity and availability of this informationare therefore critical for the security and continuity of the business.

For this document, the architecture of this kind of business-criticalsystems can be represented as in FIG. 1.

So far, most of the existing solutions for evaluating the security ofthese systems are designed to work on two layers: the functional layer[21] and the base layer. In the functional layer [21], solutions aredesigned to check mainly for Segregation of Duties violations. Solutionsof this kind contain a comprehensive matrix of incompatible businessfunctions and their mappings to the systems' related technicalauthorizations. On the other side, solutions working at the base layermainly involve checking for security vulnerabilities in the baseOperating System [24] and Database [23] layers of the systems.

While this kind of security assessment is of absolute importance, it hasbeen noted that the security and auditing industry has so far beenoverlooking a major source of risk: the security of the technologicalcomponents of these systems [22]. Each of these applications aredeveloped using complex proprietary (as well as open) runtime platforms,specific protocols and security architectures. Due to the highcomplexity involved in proper security evaluation and assessment of thislayer, added to the lack of consistent public information on thesubject, its security is usually disregarded in the implementation phaseand is neither comprehended in later security audits to the systems.

It is important to note that, despite being commonly disregarded, manyof the threats in this layer have higher levels of risk than those inthe functional layer [21], because of the following reasons:

-   -   The cyber attacker does not need to have a user account in the        target system, which increases the like-hood of attacks.    -   As many cyber attacks can be performed remotely and anonymously,        tracing the attacker back to his source location can be far more        complicated than detecting local attackers.    -   In order to perform attacks at the functional layer [21], a high        level of knowledge about internal business processes and        controls is usually required. Attacks to the technological layer        [22] can be performed automatically, even using public exploits        available in the Internet.

According to the practical experience of consultants engaged inspecialized security assessments for world-wide customers, more than 95%of the evaluated systems were susceptible to sabotage, espionage andfraud attacks due to information security risks in their technologicalcomponents. Surprisingly, many of those systems had passed regulatorycompliance audits in the past.

It is also important to note that the relevance of this subject hasgrown radically over the last years. This is clearly reflected in thegrowth of related presentations in international security conferencesand the increased number of technical security vulnerabilities beingdisclosed. It should be noted that the number of SAP security notesreleased each year has experienced a rapid growth in the last years,increasing more than 3800%, when comparing 2010 to 2007.

Performing this kind of comprehensive assessment through a manualapproach is not feasible from a cost perspective, as commonimplementations of these systems can feature several dozen up tohundreds of Application Servers, each one comprising several securityaspects to be reviewed.

At the same time, there are some solutions which try to automate some ofthese checks, such as the SAP Security Optimization Self-Serviceapplication, but they present several caveats that make it impracticalfor use as a security solution for professional security assessments andaudits, such as:

-   -   It must be run from within an SAP system, meaning that the        system used for evaluation could be the same as the one being        evaluated. This is contrary to basic audit principles, which        states that the auditing and the audited systems must be        different in order to ensure the integrity of the audit results.    -   Related with the prior point, the fact that the assessments are        executed from within an SAP system, forces the user to have        explicit SAP operation knowledge to successfully use the system.    -   Reduced customization possibilities. The user cannot perform        fine-grained configurations of the checks to execute and their        configuration, and thus cannot check the system against        different external or internal policies.    -   Low number of audit checks. Most of the checks are related with        Segregation of Duties controls and the review of critical        technical authorizations assigned to users. Many security        settings are thus not evaluated automatically by the        application, leaving an open gap for potential cyber attacks.    -   Lack of support for SAP Java platforms. The application can only        perform checks for SAP ABAP platforms.    -   No blind discovery capabilities. The application can only        evaluate systems manually configured by the user. This becomes        highly impractical in large environments with hundreds or        thousands of systems.    -   No black-box vulnerability assessment capabilities. The        application only performs white-box security reviews.    -   No risk illustration. The application does not support the        execution of risk illustration activities in order to        demonstrate the real risk of detected security issues.

Other existing automated security software do not currently presentreliable and advanced features to identify security risks affectingbusiness-critical applications with a holistic approach (combiningwhite-box reviews, black-box assessment and risk illustrationactivities), which results in a lack of detection of existing risks andgenerates a false sense of security for the organizations relying onthem.

In view of the shortcomings discussed above, there is a need for systemsand methods for performing automated security assessments ofbusiness-critical systems that takes an entirely fresh approach andovercomes the drawbacks of the conventional techniques.

SUMMARY OF INVENTION

The present invention provides systems and methods which have a newapplication security assessment framework which allows auditing andtesting systems to automatically perform security and compliance audits,detect technical security vulnerabilities and illustrate the associatedsecurity risks affecting business-critical applications. Examples ofsuch business-critical applications are Enterprise Resource Planning(ERP), Customer Relationship Management (CRM), Supplier RelationshipManagement (SRM), Supply Chain Management (SCM), Product Life-cycleManagement (PLM), Human Capital Management (HCM), Integration Platforms,Business Warehouse (BW)/Business Intelligence (BI) and Integrationapplications developed by SAP, Oracle, Microsoft, Siebel, JD Edwards andPeopleSoft.

It is an object of the present invention to decrease business fraudsrisks derived from information security breaches, enforce compliancerequirements and decrease audit costs for organizations using thesebusiness-critical applications.

The present invention overcomes the inefficiencies of the prior art byoffering a program that can be executed from a computer system andremotely perform security assessment of the technological components ofbusiness-critical applications using different approaches and,therefore, providing a holistic knowledge of the current security levelof the target systems.

These and other objectives are accomplished by providing a componentthat enables the automated discovery, identification and organization ofbusiness-critical systems in a specified computer network.

Furthermore, the present invention provides a method for executingsecurity assessment modules through a method that ensures that modulesare executed according to a specified scope and thus generatingconsistent and non-redundant results.

These and other objectives are also achieved by providing severalspecialized modules that evaluate the specific information securityrisks affecting the technological components of SAP software programs.

In a first aspect, the present invention provides a system forautomatically testing at least one target computer system for securityvulnerabilities, the system comprising:

-   -   a core engine subsystem for storing data related to said        security vulnerabilities and configurations for at least one        target computer system or network of computer systems;    -   at least one scan engine subsystem in communication with said        core engine subsystem, said scan engine subsystem comprising:        -   a system identifier subcomponent for determining resources            of said at least one target computer system;        -   a plurality of testing and probing modules for automatically            testing resources of said at least one target computer            system and for determining a vulnerability of said            resources;        -   an intelligent dispatch subcomponent for launching at least            one of said testing and probing modules based on a            configuration of said module;            wherein said at least one target computer system executes            business-critical applications.

In another aspect, the present invention provides a method fordetermining security vulnerabilities of computer networks or computersystems, the method comprising:

-   -   a) determining addresses for at least one target whose security        vulnerabilities are to be determined, said at least one target        comprising at least one of computer networks, computer systems,        and computer systems on said computer networks;    -   b) determining addresses of resources associated with said at        least one target;    -   c) determining characteristics of said resources;    -   d) selecting at least one testing or probing module for each        resource based on characteristics determined in step c);    -   e) executing said at least one testing or probing module        selected in step d), said at least one testing or probing module        for each resource being configured according to said        characteristics of said resource for which said at least one        testing or probing module has been selected;    -   f) receiving data from said at least one testing or probing        module executed in step e);    -   g) determining security vulnerabilities of said at least one        target based on said data received in step f).

Another aspect of the invention provides a system for automaticallydetermining security vulnerabilities of computer networks or computersystems, the system comprising:

-   -   a core engine subsystem for storing data related to said        security vulnerabilities and configurations for at least one        target computer system or network of computer systems    -   a scan engine subsystem in communication with said core engine        subsystem, said scan engine subsystem comprising:        -   a system identifier module for discovering and identifying            said at least one target computer system or network and            relevant resources of said at least one target computer            system or network        -   an intelligent dispatch module for launching at least one            testing or probing module based on a characteristic of at            least one relevant resource discovered and identified by            said system identifier module    -   at least one testing and probing module for automatically        testing said at least one relevant resource and for determining        a vulnerability of said at least one relevant resource        wherein said at least one testing and probing module is        controlled by said intelligent dispatch module and wherein        security configurations for said target is stored in a database        and said modules are executed on said data in said database.

A further aspect of the invention provides a method for assessing asecurity configuration of a target computer system, the methodcomprising:

-   -   a) scanning previously provided IP addresses and ports;    -   b) fingerprinting detected open ports to identify underlying        services for said open ports    -   c) detecting if said target system is active;    -   d) accessing a database of modules and executing at least one of        said modules, said modules being for determining security        vulnerabilities accessible through said IP addresses and ports;        wherein    -   said at least one module is executed based on a configuration of        said module;    -   said target computer system is for executing business-critical        applications.

BRIEF DESCRIPTION OF THE DRAWINGS

The features and advantages will become more apparent from a detailedconsideration of the invention when taken in conjunction with thedrawings in which:

FIG. 1 is a block diagram of an architecture for business-criticalsystems on which the present invention may be practiced;

FIG. 2 is a block diagram illustrating possible components of a systemaccording to one aspect of the invention;

FIG. 3 is a screenshot of one user interface used with one aspect of theinvention;

FIGS. 4A, 4B, and 4C art screenshots illustrating information from asecurity sweep session according to another aspect of the invention.

DETAILED DESCRIPTION OF THE INVENTION

The present system and method provides an application securityassessment framework to automatically perform security and complianceaudits, detect technical security vulnerabilities and illustrate theassociated risks affecting business-critical applications. Examples ofbusiness-critical applications are ERP, CRM, HCM, SRM, SCM, front-endsystems and Integration Platforms developed by SAP, Oracle, Microsoft,Siebel, JD Edwards and PeopleSoft.

The present invention is comprised of 4 basic logical components: a userinterface, a core engine, a scan engine and modules. In general, and aselaborated in more detail below, the user will interact through the userinterface to configure the target systems that will be evaluated, selectthe modules he wants to execute, start or schedule the assessmentsession, and obtain a report detailing discovered security risks. Itshould, however, be noted that a user interface is not necessary for theinvention to properly operate. Its other components can be configured tooperate automatically and autonomously of a user.

One preferred embodiment of this invention is a software program that isrun in a Microsoft Windows, UNIX/Linux or Mac OSX operating system.Users access this program through different types of interfaces, such asWeb-based or desktop technologies. The program connects to targetsystems remotely and performs the requested assessment activities.Results from the evaluation are stored centrally in the program's serverdatabase.

In another embodiment of the present invention, the target system'srelated security information has been extracted and stored in adatabase. The requested assessment activities are performed against thatdatabase repository.

In another embodiment of the present invention, only the user interfaceand the core engine of the program are run in a centralized server,while the scan engine and modules are executed in the target computer'soperating system. The core engine instructs the scan engine whichactivities must be performed in the target system. The scan engineexecutes the required modules locally and sends the results back to thecore engine, where they are stored and later processed by itssub-components.

In another embodiment of the present invention, the user interface andthe core engine of the program are run in a centralized server, whilethe scan engine and modules are executed in an intermediate server. Thecore engine instructs the scan engine which activities must be performedin the target system. The scan engine executes the required modulesremotely and sends the results back to the core engine, where they arestored and later processed by its sub-components.

While the present description outlines the architecture based on these 4basic components, it is important to understand that other embodimentsof this invention can group or further divide the activities of eachcomponent into a different set/combination of components.

Architecture

As described above, the present invention is preferably organized into 4basic components, a user interface, a core engine, a scan engine andmodules. These components have, in turn, a set of sub-components incharge of performing specific tasks in the application. These arepresented in FIG. 2 and detailed in respective sections below.

In order to understand the following sections, it is useful tounderstand the entities that are involved in the process:

-   -   Landscape/Asset Group: An arbitrary group of Systems/Assets        and/or Components and are identified by a name defined by the        user.    -   System/Asset: Group of Components. These represent a system of a        business-critical environment and are identified by a name.    -   Component: Group of Connectors. These represent a specific        component of a System/Asset, such as an application server or a        database server, etc. These are identified by a name and        component-specific properties.    -   Connector: An interface to a specific service of a Component.        Connectors are created automatically through discovery        techniques or are created manually by user. Connectors are        identified by connector-specific properties.

User Interface

The User Interface [01] allows users to communicate with theapplication. This interaction mainly consists of selecting andconfiguring the targets, selecting which modules to run, starting orscheduling the session, and viewing and saving generated reports. Theuser can also choose to run special sessions configured through specialWizards [08] (Discovery and exploration, Audit & Compliance,Vulnerability Assessment, BizRisk Illustration), which automate andsimplify many of the configuration activities to help non-advanced usersin using the invention.

Target configuration is performed through the Landscape Manager [20](See FIG. 3). Through this sub-component, the user can choose toconfigure each target manually or the user can choose to perform anautomatic discovery of the existing systems in a provided IP addressrange. This automatic discovery is performed by the System Identifiersub-component [09] of the Scan Engine [02]. This sub-component isdescribed in a separate section below. Landscape Configurations arestored in the Configuration Repository [15] sub-component.

Should the user need to configure a special selection and configurationof modules, to re-use them for future (and possibly repetitive)sessions, he will do so by interacting with the Policy Manager [06]sub-component. Through this sub-component, the user is presented withall the available modules/module categories. The user can select andconfigure module options and then save this configuration into a Policy,identified uniquely by a name.

The user interface can be implemented through different technologies inorder to provide support for different kind of needs. For example, adesktop graphical user interface is best suited to provide access tosingle user installations. In another embodiment, a Web-based interfaceis used to provide access to multi-user, centralized implementations inlarge enterprises where the application needs to be accessed fromseveral locations. In another embodiment, a non-interactive Web-serviceinterface is provided to support interactions with third-partyapplications and systems.

If the user is using an interactive UI, the application will outputsession results through the Session Manager [05] sub-component. Thissub-component outputs information about the session when sub-componentis started. Information from the session that are output can includedetected security risks in each component of the evaluated landscapes,module execution status, session execution time, module messages, coreengine messages, warnings and debug messages. FIGS. 4A, 4B, and 4Cillustrate sample screenshots showing information from one such session.

After the session has been completed, the user can access the ReportManager [07] sub-component. This user interface sub-component interactswith the Report Generator [13] to obtain the content of reports whichmay be generated. Here the user is presented with different types ofreports. The user can choose different reports for viewing or the usercan save the reports to an external file in the local file-system.Supported file formats include PDF, XML, HTML, DOC, XLS, CSV and others.

Core Engine

This component [03] is responsible for several tasks of the application.

The Data Repository [12] sub-component stores information related tovulnerabilities descriptions, module information and SQL queries setsfor to each supported database. All the information stored in therepository is localized. Because of this, the application can be madecompatible with different languages. In the preferred embodiment, thisrepository is implemented as a local relational database.

The Configuration Repository [15] sub-component stores the informationregarding Landscape Configurations, Policies, Core configurationsettings and statistics. This information is retrieved and saved byother components of the application. In the preferred embodiment, thisrepository is implemented as a local relational database.

The Report Generator [13] sub-component deals with the generation ofsession reports after a session has been completed. This sub-componentobtains the required information from the Knowledge Base [14]. Thissub-component generates an XML string, or a string in other open orproprietary formats, which contains all the information of the session.The string can be interpreted by other components of the application orthird-party applications.

Scan Engine

The System Identifier [09] is a sub-component which automaticallydiscovers, identifies and organizes business-critical systems present ina computer network. The involved procedure begins when the sub-componentis provided with a base Landscape name, a set of IP address and/orhostnames (targets), a set of ports to scan (ports_to_scan) anddiscovery options. IP addresses can be specified individually or inranges. Discovery options include: whether the targets must be checkedfor activity, whether detected open ports must be fingerprinted toidentify underlying services with lower false-positive rates, whether anattempt should be made to automatically identify and organize systems,as well as other options.

For each provided target, the sub-component will:

1. Try to detect if the target system is active, if the relateddiscovery option is enabled. This is implemented by sending ICMPrequests and/or TCP packets to specific ports on the target system,these specific ports being those commonly used by supportedbusiness-critical applications.2. Perform a TCP and UDP port-scan over the target system, to each portspecified in ports_to_scan, reporting open, closed and filtered ports.3. If the related option is enabled, send all the probes located in theFingerprint Database [11] to each detected open port and analyse thegenerated responses. If the received responses match expected responses,the service is successfully identified. Otherwise, the service is markedas “unidentified”. Each service marked as “identified” is checked to seeif any of the application connectors is associated with it. If anapplication connector is associated with it, a new connector for thatservice on that target system is created.4. If the option to identify and organize systems automatically isenabled, a special procedure described below is executed.

Given a list of connectors, the identification process consists of thefollowing steps:

-   -   Every connector belongs to a specific component. If the        component of the current connector does not already exist, it is        created. Otherwise, the connector is added to the existing        component.    -   Every connector, having a deep knowledge of the service it        connects to, tries to identify the System Name of the component        it belongs to. This is performed by sending service-specific        probes to the target system. If the connector can successfully        detect the System Name, then the identification process adds the        component to the respective system.    -   If the connector cannot detect the System Name, then certain        rules are applied:        -   If the connector's component already exists and another            connector belonging to the same component was able to detect            the name of the system, then that name is configured in the            system.        -   If there is a “sibling” component (a component belonging to            the same system), then the System Name is obtained from that            component.        -   If the connector cannot obtain the name of the system, it            may implement a method that tries to check for a specific            system name. After all possible System Names are identified,            the process will perform a check on every unidentified            connector to verify if it can detect if the provided System            Name is valid.

This component returns a tree structure as the one depicted in FIG. 3for each landscape that was provided. Once the available ports and IPaddresses are known, the various modules for assessing the targetsystem's configuration, parameters, and settings can then be launched.

The Fingerprint Database [11] sub-component is responsible for storing aset of probes (network requests) for each supported connector, as wellas the expected response (represented through regular expressions orequivalent mechanism) for each probe. This repository is used mainly bythe System Identifier [09] sub-component to analyse detected open portsfor known services.

One of the problems that arises when evaluating the security of an SAPsystem in a black box mode is the scope of the checks: some of thechecks affect the entire system, some checks are only applied at thecomponent-level, while others are applied at the connector-level.Without considering this kind of design consideration, launching everymodule against every compatible connector would result in the generationof redundant information and longer assessment times.

In order to solve this issue, the present invention implements theModule Intelligent Dispatcher [10], which takes into account the scopeof modules (defined in each module) and launches them according to thefollowing procedure:

-   -   If the scope of the module is SYSTEM, then the dispatcher tries        to run the module on all the compatible connectors of the target        system, until it is successfully executed. This means the module        is successfully executed only once per system of the landscape.    -   If the scope of the module is COMPONENT, then the dispatcher        tries to run the module on all the compatible connectors of the        target component, until it is successfully executed. This means        the module is successfully executed only once per component of        the system.    -   If the scope of the module is CONNECTOR, then the dispatcher        runs the module on all the compatible connectors. This means the        module is executed only once per connector.

Following this procedure, the present invention can ensure that everylandscape/system/component/connector is properly evaluated and avoidsthe generation of redundant information.

The Knowledge Base [14] sub-component works as a repository for storingall the information generated during a scan session. This information iscomposed of the evaluated targets, module Policies used, moduleexecution status, and generated results. This information comprises thebase data for report generation and has another important use: it allowsfor the sharing of data between modules during the session. Every resultthat a module generates is stored in the Knowledge Base [14] under aspecific key. Therefore, any module under execution can choose torequest information from the Knowledge Base [14] by providing therespective key. This enables the development of cohesive modules andmimics some of the manual techniques, where information obtained throughsome access points could be useful for other points.

Modules

Modules [04] are the components which perform a specific action orfunction over the target systems. As shown in FIG. 2, modules can belongto one of 3 categories: Discovery & Exploration, Audit & VulnerabilityAssessment, or Risk Illustration. Each module also belongs to a specificKnowledge Pack (which groups modules compatible with the same kind ofbusiness-critical Application). Examples of Knowledge Packs are:Knowledge Pack for SAP NetWeaver and R/3, Knowledge Pack for Oracle andKnowledge Pack for Microsoft.

Because business-critical applications are built upon severalcomponents, each featuring its own interfaces, protocols and securitysettings, a set of modules for each component is developed and theirdescription and function can be found below:

Procedures for Discovering, Auditing, Detecting Vulnerabilities andIllustrating Security Risks in the RFC Interface of SAP ApplicationServers Automated Analysis of Whether an External RFC Server is theSAPXPG Program:

This check is performed by connecting with the external RFC server andissuing the RFC_DOCU function call. If functions starting with the name“SAPXPG” are found in the returned output, the server is detected asSAPXPG.

Other procedures involve attempting to execute the SAPXPG_START_XPG orSAPXPG_START_XPG_LONG functions, and checking if execution wassuccessful.

Automated Analysis of Whether it is Possible to Start External RFCServers Through an SAP Gateway

Based on the tpnames parameter specified by the user in the module'soptions, the module connects to the target SAP Gateway and tries tostart the RFC server in the specified tphost. The module returns which(if any) tpnames can be started in the specified tphost through thetarget SAP Gateway.

This module thus implements a method as follows:

a) the module receives at least one program identifier from the user;b) for each program identifier, the module

-   -   b1) connects to a gateway for the target system    -   b2) attempts to initiate a specific server associated with the        program identifier on a host for the program identified by the        program identifier        c) determines which programs associated with the program        identifiers can be initiated based on the result of step b1) for        each program identifier.

Interactively Crafting and Sending of RFC Function Calls to SAPApplication Servers

This module provides a graphical user interface to create and send RFCcalls to an RFC partner, without the need of using an SAP system. Afterspecifying the target system as well as the credentials and the functionmodule to execute, the module connects to the remote party and obtainsthe required parameters and tables that the function module declares inits interface. The user can then configure each parameter and issue thefunction call. Results are processed by the module and presentedgraphically to the user.

Automated Security Analysis of RFC Destinations

The module obtains the RFCDES or equivalent table from an SAPApplication Server and analyses its contents reporting security risksassociated with the existence of connections with stored credentials,trust relationships and unencrypted interfaces.

Graphical Display of Interfaces for Incoming/Outgoing Connections in SAPSystems

The module obtains the RFCDES or equivalent table and theapplication-level log files from every SAP Application Server andanalyses its contents, presenting a graphical representation of theconnections between the different SAP systems, and with externalsystems, so that the user can quickly identify which connections couldrepresent a security risk to the implementation. Information about eachconnection is presented in the graph.

This module therefore executes a method where the module:

a) retrieves destination tables for remote function calls and otherinterfaces for application servers associated with the target systemb) retrieves log files for applications for the target systemc) determines connections between different systems associated with thetarget system based on the destination tables and log filesd) graphically maps the connectionse) Provides the User with a Graphical Map of the Various connections.

Automated Security Evaluation of the Reginfo File

The module obtains the contents of the reginfo file, either throughspecial RFC function modules or by retrieving the file from theApplication Server's file-system, accessing the file configured in thegw/reg info profile parameter.

The file is analysed line-by-line by the module, which reports asecurity risk if any of the following conditions is met:

-   -   The file does not exist.    -   A line does not have a TP parameter or TP parameter contains an        *.    -   A line does not have a HOST parameter or HOST parameter contains        an *.    -   A line does not have a NO parameter or NO parameter contains an        *.    -   A line does not have an ACCESS parameter or ACCESS parameter        contains an *.    -   A line does not have a CANCEL parameter or CANCEL parameter        contains an *.    -   Any other combination of the defined/possible parameters that        could result in a security risk for the application server or        system.

Automated Security Evaluation of the Secinfo File

The module obtains the contents of the secinfo file, either throughspecial RFC function modules or by retrieving the file from theApplication Server's file-system, accessing the file configured in thegw/sec info profile parameter.

The file is then analysed line-by-line by the module, which reports asecurity risk if any of the following conditions is met:

-   -   The file does not exist.    -   A line does not have a USER parameter or USER contains an *.    -   A line does not have a PWD parameter or PWD parameter contains        an *.    -   A line does not have a USER-HOST parameter or USER-HOST        parameter contains an *.    -   A line does not have a HOST parameter or HOST parameter contains        an *.    -   A line does not have a TP parameter or TP parameter contains an        *.    -   Any other combination of the defined/possible parameters that        could result in a security risk for the application server or        system.

Procedures for Discovering, Auditing, Detecting Vulnerabilities andIllustrating Security Risks in the SAProuter Component AutomatedBlack-Box Analysis of SAProuter Route Permission Table

The user specifies the set of IP ranges and ports to test for. Themodule tries to connect to each specified IP and port combinationthrough the target SAProuter. The module evaluates the messagesgenerated by the SAProuter. If the SAProuter returns a messagedescribing that the route connection is denied, the connection is markedas impossible. Otherwise, the connection is marked as successful. Themodule returns the status of all connections performed and performs arisks assessment on them.

For clarity, this module executes a method where the module

a) receives IP address ranges and ports from the userb) attempts to connect to each IP address and port combination through asoftware router associated with the target system with each combinationbeing derived from the IP address ranges and ports from step a)c) determines that a connection (representing a specific IP address andport combination) is successful if the software router does not deny aconnection attempt using that IP address and port combinationd) provides the user with a listing of successful and failedconnections.

Automated White-Box Analysis of SAProuter Route Permission Table

This module parses the SAProuter Route Permission Table file. This fileis a plain-text file consisting of one entry per line. The moduleanalyses each entry and reports a security risk if any of the followingconditions is met:

-   -   The evaluated entry is P * * * or P * * * *.    -   The evaluated entry is S * * * or S * * * *.    -   The evaluated entry is KP * * * or KP * * * *.    -   The evaluated entry is KS * * * or KS * * * *.    -   The evaluated entry starts with KT and contains an * in the        <src-host> parameter.    -   The evaluated entry contains an * in the <source-host>        parameter.    -   The evaluated entry contains an * in the <dest-host> parameter.    -   The evaluated entry contains an * in the <dest-serv> parameter.    -   The evaluated entry contains an * in the <password> parameter.    -   The evaluated entry contains a 22 in the <dest-serv> parameter.    -   The evaluated entry contains a 23 in the <dest-serv> parameter.    -   The evaluated entry contains an 80 in the <dest-serv> parameter.    -   The evaluated entry contains a 1503 in the <dest-serv>        parameter.    -   The evaluated entry contains a 5601 in the <dest-serv>        parameter.

The evaluated entry contains a 1527 in the <dest-serv> parameter.

-   -   The evaluated entry contains a 1433 in the <dest-serv>        parameter.    -   The evaluated entry contains other non-SAP-service in the        <dest-serv> parameter.    -   The evaluated entry starts with a “P”, and the <dest-srv> is an        SAP application service.    -   The last entry is not equals to D * * * *    -   Any other combination of the defined/possible parameters that        could result in a security risk for the implementation.        Automated Retrieval of Information from Remote SAProuter

The module creates an info-request network packet and sends it to thetarget SAProuter. If the connection is accepted, the module returns theinformation provided by the target.

Automated Black-Box Analysis of the Possibility of Routing NativeProtocols Through SAProuter

For this module, the user specifies the set of IP ranges and ports totest. The module tries to connect to each specified IP and portcombination through the target SAProuter, enabling the special flag inthe NI packet that specifies that the request is using Native protocols.The module evaluates the messages generated by the SAProuter. If theSAProuter returns a message describing that the route connection isdenied, the connection is marked as impossible. Otherwise, theconnection is marked as successful. The module returns the status of allconnections performed and performs a risks assessment on them.

This module executes the following steps:

a) the module receives IP address ranges and ports from the userb) the module then attempts to connect to each IP address and portcombination (from the IP ranges and ports from the user) through asoftware router associated with the target system. These connections tothe software router are performed setting special indicators to notifythat they are based on native protocols.c) the module then determines that a connection (representing a specificIP address and port combination) is successful if the software routerdoes not deny a connection attempt using the specific IP address andport combinationd) after attempting all possible IP address and port combination fromthe listing from step a), the module then provides the user with alisting of successful and failed connections.

Method for Routing Local Network Programs Through SAProuters

The module creates a local end-point consisting of a SOCKS proxy orvirtual interface and a second component consisting of a SAProuterprotocol translator. The user connects to the local end-point usingnetwork software. The network traffic is forwarded from the localend-point to the SAProuter protocol translator, which packets it intoSAProuter-compatible NI packets and sends them to the target SAProuter.The response is received and the inverse process is carried out. TheSAProuter protocol translator unpacks the NI response and forwards it tothe local end-point which, in turn, sends it back to the originalnetwork software.

The module's function can be expressed as a method where the module:

a) creates an end-point with the end-point having a proxy server and aprotocol translator; (The protocol translator translates protocolsassociated with the target system and its software routers.)b) receives outgoing network traffic from network software connected tosaid end-point;c) forwards outgoing network traffic to protocol translator;d) at the protocol translator, packages the outgoing network trafficinto outgoing packets compatible with the target system's softwarerouters;e) forwards the outgoing packets to the target system's softwarerouters;f) receives incoming packets from the software routers;g) sends the incoming packets to the protocol translator;h) unpacks the incoming packets into incoming network traffic; andi) forwards the incoming network traffic to the network software.

Automated Analysis of SAProuter Initialization Parameters

The module receives, as input, the command string used to start theSAProuter program. The module reports a security risk if any of thefollowing conditions are met:

-   -   The command string does not contain a “-G” argument.    -   The command string does not contain a “-Y 0” argument.    -   The command string does not contain a “-Z” argument.    -   Any other combination of the defined/possible parameters that        could result in a security risk for the implementation.

Automated Exploitation of Vulnerabilities in SAPRouter

The module exploits reported vulnerabilities in SAProuter components.Depending on the vulnerability, a special network request is sent by themodule to the target system. This allows the user to perform a securitysensitive operation over the target system.

Procedures for Discovering, Auditing, Detecting Vulnerabilities andIllustrating Security Risks in the SAP Internet Communication ManagerComponent Automated Black-Box Analysis of Status of ICM/ICF Services

The module is supplied with a database file containing a comprehensivelist of existing ICM/ICF services (services listed through transactionSICF). For each service retrieved from the database, the module connectsto the target ICM service and sends an HTTP(S) GET/HEAD request for theservice URL. The module parses the HTTP(S) response generated by theserver and, according to the HTTP status code, reports the status of theservice, according to the following criteria:

-   -   If the status code is in the 200-299 range, the service is        regarded as “accessible”.    -   If the status code is 401, the service is regarded as “user is        unauthorized”.    -   If the status code is in the 500-599 range, the service is        regarded as “reported error”.

If the status code is other, the service is regarded as “no accessible”.

This module implements a method described by the following steps:

-   -   a) receiving a listing of existing services at a target system    -   b) for each service listed,        -   b1) connecting to the service        -   b2) sending a request using an associated address for the            service        -   b3) receiving a response from the service    -   c) determining a status of each service listed based on the        responses received    -   d) sending a status of each service to the user.

Automated White-Box Analysis of Status of ICM/ICF Services

The module connects to the target server's database and analyzes thecontents of tables ICFAPPLICATION, ICFDOCU, ICFHANDLER, ICFINSTACT,ICFSECPASSWD, ICFSERVICE, ICFSERVLOC, ICFVIRTHOST and others. The modulereports the status of the services and their security configuration.

Automated Black-Box Analysis of Usage of HTTPS Protocol

The module tries to connect to the target ICM service and sends an HTTPrequest for any URL. If the server responds without protocol-levelerrors, the module reports a security risk as encryption is not enforcedin the service.

Automated White-Box Analysis of Usage of HTTPS Protocol

This module connects to the target server and retrieves profileparameters icm/server_port_(—)0 to 9 and icm/HTTPS/verify_client orequivalent. If the module determines that the server is not using SSL, asecurity risk is reported.

Automatic Detection of Information Disclosure in Error Messages

The module sends an HTTP(S) request to the ICM service, which is knownto trigger an exception in the server, and parses the server response.If the module detects that the generated response contains informationabout the SAP system ID and/or other configuration information, asecurity risk is reported.

Automated Analysis of SSL Configuration Security in ICM Service

The module checks the target ICM service SSL properties. The modulereports a security risk if any of the following conditions is met:

-   -   The SSL certificate is expired.    -   The SSL certificate is issued to a different name than the        server host name.    -   The SSL certificate is not signed by a known Certificate        Authority.    -   The SSL certificate is signed using a weak hash algorithm.    -   The SSL service supports weak ciphers.    -   The SSL service supports weak protocols (SSLv2).

Automatic Detection of Availability of the SAP ICM AdministrationInterface

The module reports a security risk if the SAP ICM Administrationinterface is configured. This is checked by sending an HTTP(S) requestto the ICM service, specifying the URL where the ICM AdministrationInterface is supposed to be configured (defaults to /sap/icm/admin). Ifthe server responds with an HTTP(S) response with a status codedifferent from 404, a security risk is reported. The module can alsoperform this check by analysing the icm/HTTP/admin_<xx> or equivalentprofile parameter. If the parameter is configured with a value differentfrom “ ” (blank), a security risk is reported.

Automatic Detection of ICM Services with Reported Security Issues

The module connects with the target ICM service and sends an HTTP(S)request for each service located in a special database file. Thedatabase file contains service URLs for each service which has areported security vulnerability in an SAP Note or equivalent. If theserver response contains a response code different from 404, a securityrisk is reported.

Automated Exploitation of Vulnerabilities in ICM Services

The module exploits reported vulnerabilities in ICF services, BSPapplications and ABAP WebDynpro applications. Depending on thevulnerability, a special HTTP(S) request is sent by the module, whichallows the user to perform a security sensitive operation over thetarget ICM service.

Procedures for Discovering, Auditing, Detecting Vulnerabilities andIllustrating Security Risks in the SAP Enterprise Portal and J2EE EngineComponents Automated Black-Box Analysis of Status of Java Applications

The module is supplied with a database file containing a comprehensivelist of existing Java Applications (applications listed through theWebDynpro Console or Content Administration of the J2EE Engine). Foreach application retrieved from the database, the module connects to thetarget service and sends an HTTP(S) GET/HEAD request for theapplication's URL. The module parses the HTTP(S) response generated bythe server and, according to the HTTP status code and body, reports thestatus of the application, according to the following criteria:

-   -   If the status code is 200 and the body does not contain the        string “Internal Server Error” or a redirection directive, the        application is regarded as “accessible”.    -   If the status code is 200 and the body contains the string        “Internal Server Error” or a redirection directive, the        application is regarded as “not accessible”.    -   If the status code is not 200 and the body contains the string        “not deployed”, the application is regarded as “not deployed”.

Automated Analysis of Whether User Self-Registration is Enabled

The module connects to the target SAP J2EE Engine and sends a requestfor the /webdynpro/dispatcher/sap.com/tc˜sec˜ume˜wd˜enduser/Selfr egAppand/or the /useradmin/selfReg URLs or equivalent. If no error isdetected in server response, a security risk is reported.

Automated Analysis of Whether SAP Knowledge Management can be AccessedAnonymously

The module connects to the target SAP Enterprise Portal service andsends an HTTP request to the SAP Knowledge Management component, withoutspecifying access credentials. If no error is generated by the server,the module reports a security risk.

Automated Remote Retrieval of SAP Enterprise Portal Version

The module connects to the target SAP J2EE Engine and sends a requestfor the /irj/portal URL or equivalent. The server response is parsed andthe string after the PortalVersion string in the HTML content isretrieved and reported.

Automated Black-Box Analysis of Usage of HTTPS Protocol

The module tries to connect to the target J2EE Engine service and sendsan HTTP request for any URL. If the server responds without errors, themodule reports a security risk as encryption is not enforced in theservice.

Automated Analysis of SSL Configuration Security in J2EE Engine Service

The module checks the target J2EE Engine service SSL properties. Themodule reports a security risk if any of the following conditions ismet:

-   -   The SSL certificate is expired.    -   The SSL certificate is issued to a different name than the        server host name.    -   The SSL certificate is not signed by a known Certificate        Authority.    -   The SSL certificate is signed using a weak hash algorithm.    -   The SSL service supports weak ciphers.    -   The SSL service supports weak protocols (SSLv2).

Automated Black-Box Discovery and Analysis of the Global Services ViaSAP Knowledge Manager

The module connects to the target SAP Enterprise Portal and sends a HTTPrequest to /irj/go/km/navigation/runtime/ or equivalent. If the serverresponds with a list of Global Services, the module reports them in aninformation message.

Automated Remote Creation of a User in SAP Enterprise Portal

If the user self-registration procedure is enabled in the targetservice, the module sends a specially-crafted HTTP request message tocreate a user in the remote system.

Automated Remote Retrieval of SAP Enterprise Portal Installation Path

The module connects to the target SAP Enterprise Portal and sends arequest for the /irj/servlet/prt/soap URL or equivalent with a randomfile name (i.e. /irj/servlet/prt/soap/<random_value>.wsdl). The serverresponse is parsed and the Installation path is retrieved and reported.

Automated Internal Port-Scan Using the J2EE Engine Web ServicesNavigator

The module first detects if the Web Services Navigator application isenabled in the target. If it is, it sends specially crafted HTTP GET andPOST requests to this service, based on a set of IP ranges and portsdefined by the user, in order to force the Web Services Navigator toconnect to these systems and services. The server response is parsed inorder to analyse connection results and the outcome is reported to theuser.

Automated Email Sending Through SAP Enterprise Portal

The module tries to use the SAP Enterprise Portal component SAPCollaboration. The module sends specially crafted HTTP POST and GETrequests in order to send specific email to users of the SAP EnterprisePortal who have their email addresses properly configured.

Automated Remote Retrieval of SAP Portal Technical Information andAutomated Security Analysis

The module connects to the target SAP Enterprise Portal and downloads afile containing the SAP J2EE Engine configuration parameters. This fileis opened by the module and each configuration parameter is analysed inorder to detect security risks. Shall a security risk be detected, themodule reports it to the user.

Automated Exploitation of Vulnerabilities in SAP Enterprise Portal andJ2EE Engine Components

The module exploits reported vulnerabilities in SAP Enterprise Portaland J2EE Engine components. Depending on the vulnerability, a specialnetwork request is sent by the module, which allows the user to performa security sensitive operation over the target system.

Procedures for Discovering, Auditing, Detecting Vulnerabilities andIllustrating Security Risks in the SAP Management Console ComponentAutomated Remote Retrieval of SAP Management Console AdministrationMethods

The module connects with the target SAP Management Console service andsends an HTTP request for an URL ending in “?wsdl” or equivalent. Uponprocessing this request, the target server responds with a WSDL file,which is processed by the module. The module analyses which SOAP methodsare implemented in the target server and reports associated securityrisks to the user.

Automated Execution of Administration Methods from a Non-SAP Application

The module provides an interface to execute the existing SOAP methods,either with or without authentication credentials. Through the executionof those methods, the following activities can be performed over thetarget service:

-   -   Verify if the SAPMC is password protected, get the environment        information of the server, obtain the host instance information,        retrieve the profile parameters of an SAP instance, get the SAP        start profile contents, get the SAP trace file, get version        information from the SAP server, list the developer traces, list        the log files, retrieve a specific log file, retrieve a specific        developer trace, shutdown an SAP instance anonymously, shutdown        the SAPMC service anonymously, read the ABAP system log, execute        operating system commands and others. The module analyses the        generated response after each SOAP method is executed and the        results of the analysis presented to the user. If security risks        are detected, they are reported by the module.

Automated Exploitation of Vulnerabilities in SAP Management ConsoleComponents

The module exploits reported vulnerabilities in SAP

Management Console components. Depending on the vulnerability, a specialnetwork request is sent by the module, which allows the user to performa security sensitive operation over the target system.

Procedures for Discovering, Auditing, Detecting Vulnerabilities andIllustrating Security Risks in the SAP Message Server ComponentAutomated Retrieval of SAP Profile Parameters

The module connects to the HTTP Administration port of the target SAPMessage Server and sends an HTTP request to the/msgserver/text/parameter URL or equivalent, specifying a profileparameter name provided by the user as a request parameter. The modulecan also be provided with a database file containing the names of allpossible profile parameters. The module then sends an HTTP request toeach possible parameter and thereby obtains all profile parameters fromthe target SAP application server. The configuration for each obtainedparameter is then analysed for security risks and, if any risk isdetected, the module reports it to the user.

Procedures for Detecting Modifications to SAP ABAP Developments in anSAP System Automatic Security Snapshots of SAP ABAP Developments

The module connects to the database server of the target SAP system andaccesses the database instance/schema used to store the SAP system'sinformation.

The module calculates a signature (implemented through CRC, Hashalgorithm or equivalent) of all or some of the following information:

-   -   Table field “DATA” of table REPOSRC.    -   Table field “LDATA” of table REPOLOAD.    -   Table field “QDATA” of table REPOLOAD.    -   Table field “LOGICINFO” of table DYNPSOURCE.    -   Table field “CLUSTD” of table O2PAGCON.    -   Any field(s) on any other table(s) that contains information        whose integrity needs to be checked.

The retrieved signatures are stored in a local repository. Thisrepository can be implemented as a local relational database.

This module executes the above method with the following steps:

a) connecting to a specific database of the target systemb) accessing the database and retrieving specific entries from specificfields from the databasec) calculating a signature value from the specific entriesd) storing the signature value in a repository remote from the targetsystem (in one implementation, a local repository is used)f) if multiple signature values exist for the target system, eachsignature value is stored separately.

Automatic Comparison of Security Snapshots of SAP ABAP Developments

After two snapshots (A and B) of SAP ABAP developments have beenperformed by the module described above, it is possible to perform anautomatic comparison of them.

The module will compare the stored signatures in both snapshots andreport the following information:

-   -   Signature for item X is different in the compared snapshots.    -   Item X does not exist in snapshot B, but it exists in snapshot        A.    -   Item X does not exist in snapshot A, but it exists in snapshot        B.

This module thus extends the capabilities of the previous module byexecuting the following steps (and building on the above method):

g) steps a)-f) are executed at least twice at different timesh) the signature values obtained at each execution are compared with oneanotheri) the differences between the various signature values are reported tothe user.

Procedures for Discovering, Auditing, Detecting Vulnerabilities andIllustrating Security Risks in Operating System and Databases ThroughSAP Application-Level Protocols Automated Analysis of SecurityPermissions and Integrity of SAP Executable and Configuration FilesThrough SAP Application-Level Protocols

The module connects to the SAP system using the SAP RFC or HTTPinterface, or other SAP application-level protocol independent from theunderlying Operating System. Once logged in the target system, themodule executes a special function to verify whether the files belongingto the SAP Application Server have the security permissions properlydefined and reports associated security risks to the user. This modulealso verifies whether the analyzed files have been modified, calculatinga security signature for them, comparing it with a known signature andreporting differences to the user.

This module executes a method where the module performs the followingsteps:

a) connects to the target systemb) executes a special function to verify if files associated with aspecific application server have properly defined security permissionsc) reports to the user the results of the verification executed in stepb).

For the above method, step a) is executed independently of theunderlying operating system of the target system.

Automated Analysis of Security of SAP Users and Groups

The module connects to the SAP system using the SAP RFC or HTTPinterface, or other SAP application-level protocol independent from theunderlying Operating System. Once logged in the target system, themodule executes a special function to verify whether the existing SAPuser groups are only containing the required users. The module reportsassociated security risks to the user.

Procedures for Discovering, Auditing, Detecting Vulnerabilities andIllustrating Security Risks in SAP GUI Installations Automated Analysisof SAP GUI Version

The module connects to the target Operating System using nativeinterfaces or administration network services. The module obtains theSAP GUI version from the Microsoft Windows Registry. The module comparesthis version with the latest available version. If the installed versionis older than the latest available one, a security risk is reported tothe user.

Automated Analysis of SAP GUI Security Settings

The module connects to the target Operating System using nativeinterfaces or administration network services. The module obtains theconfiguration of the SAP GUI Security Module and other relevant securitysettings from the Microsoft Windows Registry, such as the configurationof kill-bits for vulnerable or dangerous SAP GUI ActiveX, SAP GUIScripting options and SAP GUI input history configuration. The modulecompares the detected settings with the best-practice configuration. Ifthese do not match, a security risk is reported to the user.

The module therefore executes a method having the following steps:

a) connecting to the operating system of the target system;b) retrieving configuration and security settings for specific modulesand components of the operating system;c) comparing the configuration and security settings with specificconfiguration and settings which are considered safe (these settings andconfigurations can change over time as industry-defined best practiceschange);d) if the safe/best practices configuration and settings do not matchthe configuration and settings retrieved in step b), a security risk isreported to the user.

Procedures for Expanding Compromise Over Vulnerable SAP InstallationsMethod for Automating Penetration Testing Through SAP ABAP/Java Agents

After an SAP system has been compromised through an exploit module, itbecomes highly interesting to analyze whether an attacker would be ableto expand his influence over other systems in the target network.

In order to do so, it is necessary to be able to perform severalassessment activities through the compromised system. With thatobjective, the current invention comprises an ABAP/Java application thatis deployed to the compromised SAP system. This application receivesinstructions from the user. The application provides the followingfeatures:

-   -   Ability to read and write files in the local operating system    -   Ability to execute arbitrary operating system commands in the        local operating system    -   Ability to open and close networks connections to remote systems    -   Ability to proxy network traffic to specified systems

This module's function can therefore be seen as executing a method withthe following steps:

a) receiving configuration instructions from the user;b) attempting to execute multiple operating system commands on theoperating system of the target system;c) attempting to open and close network connections between the targetsystem and other remote systems;d) attempting to provide proxy services to network traffic between thetarget system and specific networked systems.

Of course, the module is launched from within the target system and thesteps are executed within the operating system of the target system.

It should be noted that while the above detailed examples use SAPapplications, servers, services, and systems, the methods and conceptsdisclosed above may be used on other systems as well. Otherbusiness-critical systems may also be analyzed, probed, and assessedaccording to the above described methods and systems.

The method steps of the invention may be embodied in sets of executablemachine code stored in a variety of formats such as object code orsource code. Such code is described generically herein as programmingcode, or a computer program for simplification. Clearly, the executablemachine code may be integrated with the code of other programs,implemented as subroutines, by external program calls or by othertechniques as known in the art.

The embodiments of the invention may be executed by a computer processoror similar device programmed in the manner of method steps, or may beexecuted by an electronic system which is provided with means forexecuting these steps. Similarly, an electronic memory means suchcomputer diskettes, CD-Roms, Random Access Memory (RAM), Read OnlyMemory (ROM) or similar computer software storage media known in theart, may be programmed to execute such method steps. As well, electronicsignals representing these method steps may also be transmitted via acommunication network.

Embodiments of the invention may be implemented in any conventionalcomputer programming language. For example, preferred embodiments may beimplemented in a procedural programming language (e.g.“C”) or an objectoriented language (e.g.“C++”). Alternative embodiments of the inventionmay be implemented as pre-programmed hardware elements, other relatedcomponents, or as a combination of hardware and software components.

Embodiments can be implemented as a computer program product for usewith a computer system. Such implementations may include a series ofcomputer instructions fixed either on a tangible medium, such as acomputer readable medium (e.g., a diskette, CD-ROM, ROM, or fixed disk)or transmittable to a computer system, via a modem or other interfacedevice, such as a communications adapter connected to a network over amedium. The medium may be either a tangible medium (e.g., optical orelectrical communications lines) or a medium implemented with wirelesstechniques (e.g., microwave, infrared or other transmission techniques).The series of computer instructions embodies all or part of thefunctionality previously described herein. Those skilled in the artshould appreciate that such computer instructions can be written in anumber of programming languages for use with many computer architecturesor operating systems. Furthermore, such instructions may be stored inany memory device, such as semiconductor, magnetic, optical or othermemory devices, and may be transmitted using any communicationstechnology, such as optical, infrared, microwave, or other transmissiontechnologies. It is expected that such a computer program product may bedistributed as a removable medium with accompanying printed orelectronic documentation (e.g., shrink wrapped software), preloaded witha computer system (e.g., on system ROM or fixed disk), or distributedfrom a server over the network (e.g., the Internet or World Wide Web).Of course, some embodiments of the invention may be implemented as acombination of both software (e.g., a computer program product) andhardware. Still other embodiments of the invention may be implemented asentirely hardware, or entirely software (e.g., a computer programproduct).

A person understanding this invention may now conceive of alternativestructures and embodiments or variations of the above all of which areintended to fall within the scope of the invention as defined in theclaims that follow.

Having thus described the invention, what is claimed as new and securedby Letters Patent is:
 1. A method for assessing a security configurationof a target computer system, the method comprising: a) scanningpreviously provided IP addresses and ports; b) fingerprinting detectedopen ports to identify underlying services for said open ports; c)detecting if said target system is active d) accessing a database ofmodules and executing at least one of said modules, said modules beingfor determining security vulnerabilities accessible through said IPaddresses and ports wherein said at least one module is executed basedon a configuration of said module; said target computer system is forexecuting business-critical applications; and wherein at least one ofsaid modules executes a method comprising: cc-1) retrieving destinationtables for remote function calls and other interfaces for applicationservers associated with said target system; cc-2) retrieving log filesfor applications for said target system; cc-3) determining connectionsbetween different systems associated with said target system based onsaid destination tables and log files; cc-4) graphically mapping saidconnections; cc-5) providing a user with a graphical map of saidconnections.
 2. A method according to claim 1 wherein step b) comprisesthe steps of: b1) accessing a fingerprint database containing aplurality of predefined network queries, each predefined query beingassociated with at least one expected response; b2) sending at least oneof said plurality of predefined network queries to said open ports; b3)receiving at least one response to said queries; b4) analyzing said atleast one response to determine if said at least one response is anexpected response; wherein a receipt of an expected response is anindication of an availability of a specific service at said targetsystem.
 3. A method according to claim 1 wherein at least one of saidmodules is executed based on a method comprising: aa-1) determining ascope of said at least one module, said scope for each module beingpredetermined and coded into each module; aa-2) in the event said scopeis for a system, executing a function of said module once per targetsystem; aa-3) in the event said scope is for a component, executing afunction of said module for one specific connector associated with aspecific target component; aa-4) in the event said scope is for aconnector, executing a function of said module for a specific connector.4. A method according to claim 1 wherein at least one of said modulesexecutes a method comprising: bb-1) receiving at least one programidentifier from a user; bb-2) for each of said at least one programidentifier, bb-2-1) connecting to a gateway for said target system;bb-2-2) attempting to initiate a specific server associated with saidprogram identifier on a host for a program identified by said programidentifier; bb-3) determining which program associated with said atleast one program identifier can be initiated based on a result of stepbb-2-1).
 6. A method according to claim 1 wherein at least one of saidmodules executes a method comprising: dd-1) receiving IP address rangesand ports from a user; dd-2) attempting to connect to each IP addressand port combination through a software router associated with saidtarget system, each combination being derived from said IP addressranges and ports from step dd-1) and each combination beingrepresentative of a connection; dd-3) determining that a connectionrepresenting a specific IP address and port combination is successful inthe event said software router does not deny a connection attempt usingsaid specific IP address and port combination; dd-4) providing said userwith a listing of successful and failed connections.
 7. A methodaccording to claim 1 wherein at least one module executes a method forrouting network traffic through a software router associated with saidtarget system, the method comprising: ee-1) creating an end-point, saidend-point comprising a proxy server and a protocol translator, saidprotocol translator being for translating a protocol associated withsaid target system and software routers associated with said targetsystem; ee-2) receiving outgoing network traffic from network softwareconnected to said end-point; ee-3) forwarding said outgoing networktraffic to said protocol translator; ee-4) at said protocol translator,packaging said outgoing network traffic into outgoing packets compatiblewith said software routers associated with said target system; ee-5)forwarding said outgoing packets to software routers associated withsaid target system; ee-6) receiving incoming packets from said softwarerouters; ee-7) sending said incoming packets to said protocoltranslator; ee-8) unpacking said incoming packets into incoming networktraffic; ee-9) forwarding said incoming network traffic to said networksoftware.
 8. A method according to claim 1 wherein at least one moduleexecutes a method comprising: ff-1) connecting to a database of saidtarget system; ff-2) accessing said database and retrieving specificentries from specific fields from said database; ff-3) calculating asignature value from said specific entries; ff-4) storing said signaturevalue in a repository remote from said target system; ff-5) in the eventmultiple signature values exist for said target system, storing eachsignature value separately.
 9. A method according to claim 8 whereinsaid method further comprises the steps of: ff-6) executing steps ff-1)to ff-5) at least twice at different times; ff-7) comparing signaturevalues obtained at each execution; ff-8) reporting differences betweensaid signature values compared in step ff-6).
 10. A method according toclaim 1 wherein at least one module executes a method comprising: gg-1)connecting to a target system; gg-2) executing a special function toverify if files associated with a specific application server haveproperly defined security permissions; gg-3) reporting results ofverification executed in step gg-2); wherein said step gg-1) is executedindependently of an underlying operating system of said target system.11. A method according to claim 1 wherein at least one module executes amethod comprising: hh-1) receiving configuration instructions from auser; hh-2) attempting to execute a plurality of operating systemcommands on an operating system of said target system; hh-3) attemptingto open and close network connections between said target system andremote systems; hh-4) attempting to provide proxy services to networktraffic between said target system and specific networked systems;wherein said module is logically executed in the operating system ofsaid target system.
 12. A system for automatically testing at least onetarget business-critical application running on a target computer systemor network of computer systems, for security vulnerabilities or securityconfiguration problems, the system comprising: a core engine subsystemfor storing data related to said security vulnerabilities orconfigurations for at least one target business-critical application; atleast one scan engine subsystem in communication with said core enginesubsystem, said scan engine subsystem comprising: a system identifiersubcomponent for determining resources of said at least one targetbusiness-critical application; a plurality of testing and probingmodules for automatically testing resources of said at least one targetbusiness-critical application and for determining if at least one of avulnerability and a security configuration problem on said resourcesexist; an intelligent dispatch subcomponent for launching at least oneof said testing and probing modules based on a configuration of saidmodule; wherein said at least one target computer system executesbusiness-critical applications.
 13. A system according to claim 12wherein said at least one computer system comprises at least onecomputer network comprising at least one computer server.
 14. A systemaccording to claim 13 wherein said at least one computer servercomprises a database.
 15. A system according to claim 12 wherein saidresources comprises at least one of services, ports, components,interfaces and connectors.
 16. A system according to claim 12 furthercomprising a user interface for controlling a behavior of said systemand for entering parameters for said system.
 17. A system according toclaim 12 wherein said testing and probing modules utilizes at least oneof vulnerabilities subject to being exploited, database SQL queries, andconfigurations to automatically test said resources.
 18. A systemaccording to claim 17 wherein said testing and probing modules utilizesat least one security vulnerability on said at least one targetbusiness-critical application to automatically test said resources ofsaid at least one target business-critical application.
 19. A systemaccording to claim 17 wherein said testing and probing modules sendsdatabase queries to a database of said at least one targetbusiness-critical application to determine if security configurationproblems exist for said at least one target business-criticalapplication.
 20. A system according to claim 17 wherein said testing andprobing modules accesses a configuration of said at least one targetbusiness-critical application to determine if security configurationproblems exist for said at least one target business-criticalapplication.
 21. A system according to claim 17 wherein said testing andprobing modules comprise at least one module which performs a white-boxanalysis of said resources.
 22. A system according to claim 17 whereinsaid testing and probing modules comprise at least one module whichperforms a black-box analysis of said resources.
 23. A system accordingto claim 21 wherein said at least one module which performs a white-boxanalysis of said resources is configured with credentials to log intosaid at least one target business-critical application.